---
title: SecretsProvider
description: Uses the specified secret stores to resolve queried secrets, such as passwords and cryptographic keys. Attempts to resolve the secret with the secret stores in the order that they are declared in the array.
component: pinggateway
version: 2026
page_id: pinggateway:reference:SecretsProvider
canonical_url: https://docs.pingidentity.com/pinggateway/2026/reference/SecretsProvider.html
revdate: 2025-06-02T18:01:47Z
section_ids:
  SecretsProvider-usage: Usage
  SecretsProvider-properties: Properties
  SecretsProvider-example: Example
  SecretsProvider-moreinfo: More information
---

# SecretsProvider

Uses the specified secret stores to resolve queried secrets, such as passwords and cryptographic keys. Attempts to resolve the secret with the secret stores in the order that they are declared in the array.

## Usage

```json
{
  "name": string,
  "type": "SecretsProvider",
  "config": {
    "stores": [ SecretStore reference, ... ]
  }
}
```

This object can alternatively be configured in a compact format, without the SecretsProvider declaration, as follows:

* With an inline secret store:

  ```json
  "secretsProvider": {
    "type": "secret store type1",
    "config": {...}
  }
  ```

* With multiple inline secret stores:

  ```json
  "secretsProvider": [
    {
      "type": "secret store type1",
      "config": {...}
    },
    {
      "type": "secret store type2",
      "config": {...}
    }
  ]
  ```

* With a referenced secret store:

  ```json
  "secretsProvider": "mySecretStore1"
  ```

* With multiple referenced secret stores:

  ```json
  "secretsProvider": [
    "mySecretStore1", "mySecretStore2"
  ]
  ```

Refer to [Example](#SecretsProvider-example) for more example configurations.

## Properties

* `"stores"`: *array of SecretStore [references](preface.html#definition-reference), required*

  One or more secret stores to provide access to stored secrets. Configure secret stores described in [Secrets](secrets.html).

## Example

The following SecretsProvider is used in [Discovery and dynamic registration with PingAM](../gateway-guide/oidc-dynamic.html).

```json
"secretsProvider": {
  "type": "SecretsProvider",
  "config": {
    "stores": [
      {
        "type": "KeyStoreSecretStore",
        "config": {
          "file": "/path/to/keystore.p12",
          "mappings": [
            {
              "aliases": [ "myprivatekeyalias" ],
              "secretId": "private.key.jwt.signing.key"
            }
          ],
          "storePasswordSecretId": "keystore.secret.id",
          "storeType": "PKCS12",
          "secretsProvider": "SystemAndEnvSecretStore-1"
        }
      }
    ]
  }
}
```

The following example shows the equivalent SecretsProvider configuration with an inline compact format:

```json
"secretsProvider": {
  "name": "KeyStoreSecretStore-1",
  "type": "KeyStoreSecretStore",
  "config": {
    "file": "/path/to/keystore.p12",
    "mappings": [
      {
        "aliases": [ "myprivatekeyalias" ],
        "secretId": "private.key.jwt.signing.key"
      }
    ],
    "storePasswordSecretId": "keystore.secret.id",
    "storeType": "PKCS12",
    "secretsProvider": "SystemAndEnvSecretStore-1"
  }
}
```

The following example shows the equivalent SecretsProvider configuration with a compact format, referencing a KeyStoreSecretStore object in the heap:

```json
"secretsProvider": "KeyStoreSecretStore-1"
```

## More information

[StatelessAccessTokenResolver](StatelessAccessTokenResolver.html)

[Secrets](secrets.html)

[org.forgerock.secrets.SecretsProvider](../_attachments/apidocs/org/forgerock/secrets/SecretsProvider.html)